Name That User: LightCyber Finds Attackers by Triangulating Users, Devices, and Network Traffic

November 2nd, 2016 by Kasey Cross

User Behavior AnalyticsFinding active attackers in a network requires a high degree of precision. To maximize detection accuracy, LightCyber Magna monitors user access—as well as network and endpoint activity—to build a baseline of normal behavior. Since every user is unique, LightCyber profiles each user individually. With Magna 3.5, LightCyber has boosted Magna’s user profiling capabilities by detecting changes in user behavior and by comparing new users’ activity to other users on the network. These new types of detections provide even more robust warning signs that an advanced attack is in progress.

Magna 3.5 also introduces more granular intelligence of Virtual Private Network (VPN) users, allowing Magna to map internal network traffic to individual remote users. While Magna already supported VPN access in previous releases, the new integration with VPN access logs allows Magna to more accurately profile remote users and detect attacks originating from dynamic VPN clients.


Magna reveals that a user accessed sixteen new devices in a suspicious manner.

User Behavior Analysis in Action

Magna’s enhanced user behavior analysis detects two new types of attack behaviors: a new user conducting unusual activities or an existing user exhibiting new behavior. Magna monitors user access to servers and workstations, to build a behavioral profile by user. Magna also observes successful and failed authentication events and focuses on low and slow irregular authentication activity that might not be spotted by Magna’s existing brute force attack detectors.
These new detection capabilities complement existing device and user-based anomaly detection capabilities. They enhance Magna’s lateral movement detectors by identifying attackers using stealthy, low and slow attack methods to gain access to new assets.

Zeroing in on Individual VPN Users

While VPN users have been supported since Magna version 1.0, a new feature in our 3.5 release enables Magna to correlate a remote assess user connecting to the network through a VPN gateway to an IP address, even when IP addresses are dynamically assigned and fluctuate frequently. By parsing VPN logs, Magna will map observed network traffic to individual users. Magna then profiles and monitors each remote user’s activity over time in the same way it analyzes local users and local hosts on the network. And Magna goes above and beyond most log-based User Behavior Analytics (UBA) solutions because it examines every packet between the VPN user and hosts in the local network.

This network visibility comes in handy when detecting irregular activity that may not show up in VPN logs files. As an example, about a year ago (and well before Magna’s new VPN intelligence feature) Magna identified a VPN user accessing and controlling other workstations. After the Magna customer’s security team examined the VPN user’s PC, they discovered that a Trojan had infected the PC. The anomalies that exposed the Trojan would have been difficult to uncover just by analyzing VPN logs.

Learn How Magna Detected a Red Team Attack and Ransomware

See how a leading media company uses LightCyber Magna to detect would-be internal or external attackers in this video.


Leave a Reply

Your email address will not be published. Required fields are marked *